File Insecurities and Prevention in Perl
Perl Insecurities and Prevention – Part 5
Perl Course
Foreword: In this part of the series, I talk about file insecurities and prevention.
By: Chrysanthus Date Published: 23 Nov 2015
Introduction
File insecurity can be seen in three similar ways:
- The file has a good path and name but the file is not known by Perl; as such any bad thing can be inside the file.
- Perl does not know the path of the file.
- The content or parts of it may ultimately harm your program.
Prevention from hacking can be summarized as follows: Wrong data or wrong code, should not enter a program. While wrong data or wrong code is in the program, it should not disrupt the program flow. Wrong data or code should not leave the program for other destinations, because of wrong data inputted or wrong code inputted.
The verb, taint, means to damage or spoil the quality of something. Taintedness is associated with a scalar value.
File is not known
Perl does not trust all operating system files. There are other files (executable and data) in the computer, allowed into the computer by the operating system; and Perl does not know and does not trust them. The following schemes can bring the content of untrusted files to your program:
$line = <>;
$line = <STDIN>;
$line = <FOO>;
system "/bin/echo", $arg;
open(FOO, "> $arg");
exec 'echo', $arg;
@files = <*.c>;
@files = glob('*.c');
$path = $ENV{'PATH'};
readdir() and other functions that call OS functions
All these data expressions are described as tainted. I now explain why they are considered by Perl as tainted:
$line = <>;
One way to call a Perl program is as follows:
perl filename.pl file1, file2, file3
The executable Perl program is, filename.pl. file1, file2 and file3 are files to be used by filename.pl. file1, file2 and file3 etc. become values of the Perl’s special array, @ARGV. Now, <> is the filehandle for each of the filenames in @ARGV.
The problem is that Perl does not (may not) know these files; so the files are considered tainted. To prevent this taintedness, verify manually that the files have no errors (no false data or false code).
$line = <STDIN>;
This expression is to receive strings from the console. Perl assumes that the values are not validated, so it considers any such value as tainted. To prevent this, validate all such inputs.
$line = <FOO>;
FOO is a filehandle to a file. Perl does not (may not) know the file. So the file is considered tainted. To prevent this, verify manually that the file has no errors.
system "/bin/echo", $arg;
Here Perl’s system() function calls the operating system command (file) named, echo, whose argument is $arg. Perl does not know this command; Perl may not also know the value of $arg, because it is not the Perl program that created it (because it is not literal typed and assigned in the program). So echo and $arg are tainted and the expression is a tainted data expression.
open(FOO, "> $arg");
$arg holds a filename. This operation is to write to a file. Perl does not know what your program is writing to the file, so it considers what is being written as tainted. To prevent this, make sure any input to your program is validated; write a mature Perl program; and send out honest output.
exec 'echo', $arg;
The Perl exec() function is similar to the Perl system() function. Perl never placed any file called echo in the working directory. Also, it may not be your Perl program that created the value for $arg. So, because of echo and $arg, the expression is a tainted data expression. To prevent this, verify manually that echo has no errors and that the value for $arg is input that is validated, or it is a clean literal typed directly onto your program.
@files = <*.c>; and @files = glob('*.c');
Now, *.c means all files in the working directory whose extension is c . The files could be, one.c, two.c, john.c, trouble.c, thief.c, danger.c, etc. It is not Perl that created those files. So as input to your program, they are untrustworthy, and so tainted. To prevent this, verify the files manually or accept only files from a source you trust.
$path = $ENV{'PATH'};
ENV is an operating system variable that can be accessed by Perl. It is a string variable. An example of its value is:
C:/Perl/site/bin;C:/Perl/bin;C:/Program Files/PHP/;C:/WINDOWS/system32;C:/WINDOWS;C:/WINDOWS/System32/Wbem;C:/Program Files/MySQL/MySQL Server 5.5/bin
This value consists of paths to application executable files. For example, an executable that interprets Perl programs is called, perl5.18.2.exe and it is in the path and directory C:/Perl/bin . In the PATH string, semicolons separate the entries.
Now, apart from the directories and files created by Perl installation, Perl does not trust the other directories and their files. Even the directories and files creates by Perl might have been tampered with, by the Operating system. To prevent this, use an operating system that you trust, and untrustworthy people should not be allowed to access crucial directories and files of the operating system.
A Perl function, like readdir() calls an operating system function. Perl does not trust operating system functions, because they might have been tampered with, by unauthorized persons. To prevent this, use an operating system that you trust, and untrustworthy people should not be allowed to access crucial directories and files of the operating system.
Unknown File Path
If Perl does not know the path of a file, then it definitely does not know the files at the destination. So, both the path and files are tainted. To prevent this, use paths and files that you trust.
The Content or Parts of a File
The content of a file may have wrong data. To prevent this, do not open a file you do not trust.
That is it for this part of the series. We stop here and continue in the next part.
Chrys
Related Links
Perl BasicsPerl Data Types
Perl Syntax
Perl References Optimized
Handling Files and Directories in Perl
Perl Function
Perl Package
Perl Object Oriented Programming
Perl Regular Expressions
Perl Operators
Perl Core Number Basics and Testing
Commonly Used Perl Predefined Functions
Line Oriented Operator and Here-doc
Handling Strings in Perl
Using Perl Arrays
Using Perl Hashes
Perl Multi-Dimensional Array
Date and Time in Perl
Perl Scoping
Namespace in Perl
Perl Eval Function
Writing a Perl Command Line Tool
Perl Insecurities and Prevention
Sending Email with Perl
Advanced Course
Miscellaneous Features in Perl
Perl Two-Dimensional Structures
Advanced Perl Regular Expressions
Designing and Using a Perl Module
More Related Links
Perl Mailsend
PurePerl MySQL API
Perl Course - Professional and Advanced
Major in Website Design
Web Development Course
Producing a Pure Perl Library
MySQL Course
BACK NEXT